A user may use a device (e.g., desktop, laptop, and smartphone) to access many different online accounts provided by various account providers. These accounts may include email accounts, financial accounts, social accounts, business accounts, e-commerce accounts, and so on. Because the information stored in these accounts may be sensitive (e.g., bank account numbers), the account providers typically require a rigorous authentication process (e.g., multi-factor authentication) so that the device can access an account. For example, to access a financial account of a financial institution, a user may access a web page of the financial institution and provide the account number. As a first factor of the authentication process, the web page may ask the user a question that the user will likely know the answer to, but others are less likely to know, such as “What is your mother's maiden name?” or “In what year did you open this account?” As the second factor for the authentication process, the financial institution may send a message with a security code to another device (e.g., smartphone) or to another account (e.g., email account) associated with the user, and the web page may prompt the user to enter the security code. If the answer to the question is correct and the security code entered matches the one sent, the user is authenticated.
After the user has been authenticated, the account provider may require the user to provide a user name and password for logging on the account. To log on to the account using the device, the account provider may again require a multi-factor authentication. For example, the user may be required to enter the user name, the password, and a new security code that is sent to another device of the user. While the use of a multi-factor authentication process to log on to an account provides a high level of security, many users find such a process cumbersome for various reasons. For example, the user may not have immediate access to the other device to which the security code is sent.
To make the logon process easier, an account provider may provision devices so that the account provider can detect that a device through which a user is logging on to an account has been previously used by that user to access the account. A common technique for provisioning a device is to store a persistent cookie provided by the account provider on the device. When the user subsequently logs on using the device, that cookie is provided to the account the provider to identify the device.
A more secure technique for provisioning may employ an asymmetric key technique as a factor. Many devices include a secure cryptoprocessor, which may be a component of the central processing unit of the device. (See ISO/IEC 11889 and the Trusted Platform Module of the Trusted Computing Group.) Such a secure cryptoprocessor of a device may generate a public/private key pair and store the private key securely within the secure cryptoprocessor. The secure cryptoprocessor can then encrypt data using the private key. The public key, which is made available outside of the cryptoprocessor, can then be used to decrypt the encrypted data. If the decrypted data matches the data that was expected, the holder of the public key knows that the data originated from the device because it was encrypted using the private key known only to that device.
Once an account provider has the public key of a device, that device is considered to be provisioned to the account. When logging on using the device, the user may be prompted to enter a user name and password. The account provider may then send to that device a security code (i.e., a challenge). A software component of the device (e.g., script of a web page) may request the secure cryptoprocessor to encrypt the security code with the private key and may send the encrypted security code to the account provider. The account provider then decrypts the encrypted data with the public key. If the decrypted data matches the security code, then the account provider knows the security code was encrypted by the provisioned device.
A user may have many devices through which the user may want to access various accounts. The user may have a smartphone, a tablet, a personal laptop, a work laptop, a personal desktop, and a work desktop. The user may want to access many email accounts, social and business networking accounts, e-commerce accounts, financial accounts, and so on from each device. To provision each device to access each account, the user may be required to perform the multi-factor authentication for each combination of device and account.